CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Apple Mac OS X
Multiple vulnerabilities have been discovered in Apple's Mac OS X and Mac OS X Server that could allow remote code execution. Mac OS X is a desktop operating system for the Apple Mac. Mac OS X Server is a server operating system for the Apple Mac.
These vulnerabilities may be exploited if a user visits or is redirected to a specially crafted web page or when a user opens a specially crafted file. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Apple Mac OS X 10.6
- Apple Mac OS X Server 10.6
- Apple Mac OS X 10.7
- Apple Mac OS X Server 10.7
- Apple Mac OS X 10.8
- Apple Mac OS X Server 10.8
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Apple Mac OS X. The details of these vulnerabilities are as follows:
- A buffer-overflow vulnerability exists in the DirectoryService Proxy. (CVE-2012-0650)
- A buffer-overflow vulnerability occurs due to an out of bounds memory read or write error. Specifically, the issueexists in the handling of text glyphs. (CVE-2012-3716)
- A local security-bypass issue occurs in the LoginWindow component. An attacker can exploit this issue to obtain other user's login passwords. (CVE-2012-3718)
- An input validation security vulnerability exists in Mail's handling of embedded web plugins. An attacker can exploit this issue to execute web plugins when viewing a specially crafted e-mail message. (CVE-2012-3719)
- An information-disclosure vulnerability exists due to an issue in mobile accounts. Specifically, the issue occurs because creating a mobile account saves a hash of the password in the account. Attackers can exploit this issue to obtain the user's password using the hash. (CVE-2012-3720)
- A security vulnerability exists in the Device Management private interface. An attacker can exploit this issue to enumerate managed devices. (CVE-2012-3721)
- Multiple vulnerabilities in Apache, the most serious of which could lead to a denial of service. It should be noted that OS X Mountain Lion is not affected by this vulnerability. (CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053)
- Multiple vulnerabilities exist in BIND which may lead to a denial of service condition, data corruption, or information disclosure in systems configured to run BIND as a DNS nameserver. (CVE-2011-4313, CVE-2012-1667)
- Multiple memory corruption vulnerabilities exist due to the way that libpng handles PNG images. (CVE-2011-3026, CVE-2011-3048)
- An integer overflow vulnerability exists when viewing specially crafted TIFF images that could lead to arbitrary code execution. (CVE-2012-1173)
- A stack buffer overflow vulnerability exists in the handling of ICU local ID's that may allow arbitrary code execution. (CVE-2011-4599)
- A logic issue exists due to the handling of debug system calls. This vulnerability may allow a malicious program to execute code in other programs with the same user privileges. (CVE-2012-0643)
- Multiple vulnerabilities exist in PHP. The most severe vulnerability could lead to remote code execution. (CVE-2012-0831, CVE-2012-1172, CVE-2012-1823, CVE-2012-2143, CVE-2012-2311, CVE-2012-2386, CVE-2012-2688, CVE-2011-3048)
- A memory corruption vulnerability exists due to the way QuickLook handles .pict files that could lead to remote code execution. (CVE-2012-0671)
- An integer overflow vulnerability exists in QuickTime's handling of sean atoms that could lead to remote code execution. (CVE-2012-0670)
- An uninitialized memory access vulnerability exists due to the improper handling of Sorenson encoded movie files that could lead to remote code execution. (CVE-2012-3722)
- A buffer overflow vulnerability exists due to the handling of RLE encoded movie files that could lead to remote code execution. (CVE-2012-0668)
- A memory corruption issue exists in the handling of USB hub descriptors whichcould allow for remote code execution. (CVE-2012-3723)
These patches also enable Ruby OpenSSL empty fragments in order to mitigate attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cypher suite uses a block cipher in CBC mode. (CVE-2011-3389)
Successful exploitation of any of these remote code execution vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attempts could result in a denial-of-service.
We recommend the following actions be taken:
- Apply appropriate patches provided by Apple to affected systems immediately afterappropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
- Remind users not to download or open files from un-trusted websites.
- Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
- Remind users not to click links from unknown sources, or to click links without verifying the intended destination.